Hi there,
I have a FortiGate 100D running v5.0, build4429 (GA).
In the Traffic History widget I can see my Internet connection saturated, inbound and/or outbound.
Users are complaining that Internet is very slow.
Top Sessions by Destination or Source Address widget shows current usage?
Top Clients by Bandwidth widget also shows me some info.
Is there a better way to try to determine live, at any time, what internal IPs are using up the most bandwidth and what hosts they are connected to?
Will a FortiAnalyzer help?
Are there better solutions outside of obtaining info from the FortiGate such as port mirroring on a switch to a Linux VM with special network monitoring software on it?
Ideally, I'd want a solution that can also email me alerts if there is any particular internal host that is utilizing excessive bandwidth. I'd like to know if the traffic is legitimate business traffic or from malware or for personal use.
Thanks in advance for any suggestions/feedback.
Cheers,
Derek
I'd rather to use other solution like fortianalyzer and fireplotter.
Also I suppose you to upgrade 5.2.1. In FortiView menu you have better reports.
Take a look at this blog I pulled together. This is what I do sometimes when managing devices that have no true collections methods.
http://socpuppet.blogspot.com/2014/09/howto-find-out-how-many-bps-policy-is.html
If you have unix and plotting skills, you can poll the unit and build statistics. It's also a good means when t-shooting a specific event at that time.
Forticloud would be another option with trending.
PCNSE
NSE
StrongSwan
am using firewall analyzer .. fortianalyzer is a good option to..
FCSNP 5, JNCIS-FW,JNCIA-SSL ,MCSE, ITIL.
Hi Derek,
You cant do proper monitoring using the FortiGate counters (Fortigate/FortiCloud/FortiAnalyser/SNMP)
All traffic that is offloaded to the hardware acceleration isn't counted anymore so you wont see correct numbers.
You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models)
This is also explained in the fortigate-hardware-accel documentation.
I'm really disapointed about this because reporting and monitoring was one of our mandatory requirements when bought our FortiGate cluster. Our FortiNet partner didn't told me it wouldn't work without buying expensive high end models. So we are stuck with useless traffic reporting.. :(
The only workaround is completely disabling the traffic offloading but that puts all the stress on the normal processor so it has a huge performance penalty.
You can also check the folowing blog for a nice explaination:
http://blog.helge.net/2014/05/fortigate-snmp-interface-counters-is.html
Maybe you can get yourselve a switch that supports Netflow and use that information to do the alerting.
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
You need at least a NP6 network processor to get the offloaded traffic counted correctly. (only in high end FortiGate models) This is also explained in the fortigate-hardware-accel documentation.
Correct in some case but you have one more method. Netflow. yes netflow is a support function in 5.2.
But you have one more friend.
( it's like 6-8 lines of cfg )
config system netflow set collector-ip 10.10.80.11 set collector-port 5400 set source-ip 10.10.80.1 set active-flow-timeout 10 set inactive-flow-timeout 5 end
provides on interfaces that are Layer3 assigned. Don't think it will work with transparent mode vdom. And then you have sflow as an alternative.
PCNSE
NSE
StrongSwan
Hi Emnoc,
But i wonder if the netflow packets include the offloaded traffic statistics or also only the first packet of a flow and traffic that can not be offloaded.
Any experience on this?
- MBR -
NSE1, NSE2, NSE3
FGT60D/E, FWF60D/E, FGT200D
We believe this is just as reliable and we have numerous fortigates with no NP6 asic. You can validate by install a flow collector and generate a multiple of flows at a set rate ( iperf/jperf /D-ITG comes in handy ) and then monitor the flow cache and information.
How much statistics are lost when offload is not 100% rock solid. Also we find only vpn encrypted traffic seems to exhibit flutter and fluctuations when do our own benchtesting.
You can try sflow and but be aware of the polling interval which is always a requirement for sflow. I believe a few opensource or demo collectors that support sflow collections exists. The sflow exportation has been out as earlier as v4.0, and netflow since v5.2. Netflow is probably more redefine due to the number of cisco device out in planet earth, so more collectors are netflow aware & internet community in whole is more netflow knowledgeable.
PCNSE
NSE
StrongSwan
Hello emnoc, MBR, norouzi, and Fahad.
Thanks very much for your expert feedback - all great info, some of it I must admit over my head since I'm not a networking expert (I'm an IT manager, so more of a generalist). I do have hopes that I will be able to hire a network engineer to help me soon.
What has worked good enough for the small office I'm based in:
1. In the Top Sessions widget, I set to report by Source Address
2. In the widget I right-click on source IP with top bandwidth usage and choose "Show Top Destinations" or "Show Top Applications"
The above has helped to reveal to me who in my office was utilizing a ton of bandwidth (based on their IP address) and what sites they were connecting to (local video streaming sites reporting on the Hong Kong protests).
I hope to be able to get more advanced reporting, logging and analysis by getting a FortiAnalyzer, managed by a network engineer.
Thanks again, all.
Cheers,
Derek
Hi,
You could use Forticloud or Fortianalyser for enhanced logging, you can request a trial of Fortianalyzer if you wanted to test it first
Mark
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1739 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.